How to Protect your Internet Anonymity and Privacy/Your own TOR node on Amazon EC2

It is simple to contribute to the TOR network by hosting a TOR node on your EC2 instant. Starting from 2010, Amazon provides a free tier service for 1 year. Since the node is under your control, it cannot be compromised like selling aggregate information. You can also configure a totally private node for your own use with faster response, and also trouble free, totally anonymous website hosting.

The standard TOR client can also run on top of a VPN, adding another level of indirection. But this does not contribute to the TOR network, or increase the speed of TOR for your own traffic.

Installing TOR on EC2
Firstly, start an EC2 instant as described in the VPN section. In the security group, you have to add custom TCP, at port 8080. Start an SSH terminal session as in the VPN section.

You have to add the software depository into the file. You can use a text editor vi:


 * sudo vi /etc/apt/sources.list

add the line (for Ubuntu 10.10):


 * deb http://deb.torproject.org/torproject.org maverick main

Add the gpg key used to sign the packages:


 * gpg --keyserver keys.gnupg.net --recv 886DDD89
 * gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Refresh your sources and install Tor:


 * sudo apt-get update
 * sudo apt-get install tor tor-geoipdb

Configuring a TOR node
Save the file /etc/tor/torrc:
 * sudo mv /etc/tor/torrc /etc/tor/torrc.bak

Use an editor to create a /etc/tor/torrc file that contains:


 * SocksPort 0
 * ORPort 8080
 * BridgeRelay 1
 * Exitpolicy reject *:*
 * PublishServerDescriptor 0
 * BandwidthRate 300 KB
 * BandwidthBurst 350 KB
 * AccountingStart month 1 00:00
 * AccountingMax 1 GB

This configuration is for a private node, a bridge, for your own use. Normally a TOR route has 3 nodes, the entry, intermediate, and exit node. A bridge can only be used as an entry node.

By default your node is a public node, and can be used as an exit node. This exit policy will not allow being used as an exit node - a pure relay node so your node IP will only be used within the TOR network.

By default, a bridge node IP is not published, but the TOR network still collects them and issues them to public who request it via email. The PublishServerDescriptor setting turns the node into a private bridge.

The last four lines are important if you allow public to use your node. Currently EC2 allows 15 GB per month in the free tier.

TOR is started by:


 * /usr/sbin/tor &

From the response message you can see the IP of your node via self-test, and if the node is published or not.

Installing the TOR client
For unknown reasons I cannot install TOR in the client machine using the same procedure. You can download one of the TOR binary bundles from The TOR Project.

Once you tested the default configuration successfully, you can use your own bridge via Vidalia. In options>network, check that your ISP blocks TOR. Your add your bridge as:
 * :8080

where  is the IP you read when starting your TOR node in EC2, and basically is the IP part in the public DNS. You can also read the fingerprint but that's not necessary.

Other than using as a bridge, you can also configure and use your own EC2 node as an entry or exit node. You have to do it by setting options in the client torrc file.

In the server node at EC2, you give it a nickname in the torrc file:


 * Nickname mynick

In the client torrc file you can specify to use your own TOR server:


 * EntryNodes mynick
 * StrictEntryNodes 1

or


 * ExitNodes mynick
 * StrictExitNodes 1

You can do both if you have two different nodes. If the strict flag is not set, the use of the nodes is not mandatory. Instead of using nicknames, you can also use the IP of the node or fingerprint, both are displayed when you start your TOR server.